[wp-hackers] Should password hashing portability be configurable?

Otto otto at ottodestruct.com
Wed Nov 7 19:24:06 UTC 2012


Yes, that said, bcrypt was indeed intentionally designed to be
slow-as-heck for hashing, so it would be more secure in theory. I have
my doubts about that in practice. Modern GPU based crackers are
uber-fast.

Since we're on 5.3 and up now, it does make sense to remove the "true"
from those functions, since every PHP 5.3 should have bcrypt in it.
Might be worth making a core ticket for it instead of a plugin.

-Otto


On Wed, Nov 7, 2012 at 1:22 PM, Harry Metcalfe <harry at dxw.com> wrote:
>
>> The underlying cryptographic hash function is pretty much
>> irrelevant to the concept of password storage.
>
> As far as choosing between MD5/SHA256/similar, I agree. But bcrypt is
> different.
>
>> Unless the hash algorithm is extremely slow, [...]
>
> This is exactly the point. bcrypt is, by design, very slow. And it can be
> adjusted to make it slower as computing power becomes cheaper. More:
>
> http://en.wikipedia.org/wiki/Bcrypt
> http://codahale.com/how-to-safely-store-a-password/
>
>
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers


More information about the wp-hackers mailing list